December 19, 2018
In 1965, the Singapore government created the National Registration Identity Card (NRIC) as a means of identification for all citizens and permanent residents.
Whilst the NRIC may be viewed as just a string of numbers assigned to every individual at birth, the significance of these digits cannot be taken lightly as it uniquely identifies every Singaporean or Permanent Resident.
However, organisations in Singapore have, for the sake of convenience, grown accustomed to request that customers provide them with NRIC details in exchange for the provision of goods and services. For instance, in many cases individuals still need to submit their NRIC details in order to participate in lucky draws, or even to register for gym memberships.
Such practices have made customers less wary of how their personal data could be compromised. However, recent data breaches in Singapore, have made individuals more cautious of the personal data they are giving out to organisations. Hot on the heels of the SingHealth data breach, Singapore’s Personal Data Protection Commission (PDPC) announced tighter rules to be implemented on the collection, use or disclosure of identity documents.
From 1 September 2019, organisations will no longer be allowed to ask for NRIC details and other identification documents as they see fit. Instead, they will only be allowed to do this when there is an important reason to identify an individual to a high degree of certainty such as verifying a patient’s identity for medical treatment. What this means for individuals is that if they don’t feel comfortable in sharing their personal NRIC details in some cases, they don’t necessarily have to.
When to share or not to share?
It is important to know when it is absolutely necessary to share NRIC details and when not to, for example:
There are some instances where an organisation may collect personal data without the consent of the individual or from a source other than the individual, for example:
Consumers should also know the circumstances in which their personal data should not be collected, used or disclosed, for example:
Tips for safeguarding personal data
Apart from understanding the PDPC’s guidelines on the collection, use and disclosure of personal data, individuals should be careful only to provide their NRIC details when absolutely necessary.
Organisations that hold personal data need to exercise great caution in ensuring that the collection, use and disclosure of the information abides by the PDPC’s guidelines.
It is also a best practice for organisations to adopt a clean desk policy or shred-it All policy for unwanted documents and ensure that any hard drives which are no longer required are disposed of securely. These are important practices to maintain so that no personal data is lost.
Start Protecting Your Business
An organisation that integrates a personal data protection plan into its business processes can help reduce the risk of a data breach.